On Fri, Apr 08, 2022 at 08:54:02PM +0200, Vitaly Zaitsev via devel wrote:
> On 08/04/2022 19:30, Kevin Fenzi wrote:
> > We actually had IMA signing all up and running last year from jan 15th
> > to jan 22nd. As luck would have it, there was a chromium build in that
> > time:
>
> Now try with
On 01/04/2022 15:33, Ben Cotton wrote:
We want to add signatures to individual files that are part of shipped RPMs.
Can you try signing the breeze-icon-theme and distribution-gpg-keys
packages and post %time output?
--
Sincerely,
Vitaly Zaitsev (vit...@easycoding.org)
On 08/04/2022 19:30, Kevin Fenzi wrote:
We actually had IMA signing all up and running last year from jan 15th
to jan 22nd. As luck would have it, there was a chromium build in that
time:
Now try with texlive.
--
Sincerely,
Vitaly Zaitsev (vit...@easycoding.org)
On Fri, Apr 08, 2022 at 12:20:00AM +0200, Fabio Valentini wrote:
> On Thu, Apr 7, 2022 at 11:51 PM Peter Robinson wrote:
> >
> > > > There are plenty of things in an RPM build that already inherently take
> > > > O(N) time in the number of files or the total size of the files, even
> > > >
On 07/04/2022 23:50, Peter Robinson wrote:
Why do you classify that slow down being due to signing?
Because all build packages are stuck in the "signing pending" status.
You can't do anything with them until the sign process is complete.
--
Sincerely,
Vitaly Zaitsev
Hi
On Thu, Apr 7, 2022 at 5:33 PM Matthew Miller wrote:
>
> I don't think we should characterize the Changes process in this way.
> Fedora
> is a place for experimentation, and if a proposal is rejected, it is
> totally
> appropriate to adjust that proposal based on feedback and re-submit.
>
On Thu, Apr 7, 2022 at 11:51 PM Peter Robinson wrote:
>
> > > There are plenty of things in an RPM build that already inherently take
> > > O(N) time in the number of files or the total size of the files, even
> > > ignoring %build and %install.
> >
> > Yes, but signing is an extremely slow
> > There are plenty of things in an RPM build that already inherently take
> > O(N) time in the number of files or the total size of the files, even
> > ignoring %build and %install.
>
> Yes, but signing is an extremely slow process. Rebuilding the texlive
> package during the Mass rebuild slows
On Sun, Apr 03, 2022 at 12:03:58PM +0200, Vitaly Zaitsev via devel wrote:
> >We want to add signatures to individual files that are part of shipped RPMs.
> Third attempt to push it through again? It was already rejected by FESCo.
I don't think we should characterize the Changes process in this
On 05/04/2022 13:12, Ben Beasley wrote:
There are plenty of things in an RPM build that already inherently take
O(N) time in the number of files or the total size of the files, even
ignoring %build and %install.
Yes, but signing is an extremely slow process. Rebuilding the texlive
package
I have no idea whether or not this Change would add significantly to
package build times in practice. It’s a good question. I think answering
it would require benchmarks rather than asymptotic reasoning, though.
There are plenty of things in an RPM build that already inherently take
O(N) time
On 04/04/2022 12:34, Fabio Valentini wrote:
I wonder, does this have measurable effect on the time it takes to
build a package?
O(1) -> O(N), where N is the number of files in the RPM package.
--
Sincerely,
Vitaly Zaitsev (vit...@easycoding.org)
Dne 04. 04. 22 v 10:29 Peter Robinson napsal(a):
How will this key be distributed on the distro filesystem or on the web?
The pub keys will be both, I've added a paragraph to the detailed description.
Please add it as TYPE 61 DNS record as well:
> == Detailed Description ==
>
> During signing builds, the files in it will be signed with IMA signatures.
> These signatures will be made with a key that's kept by the Fedora
> Infrastructure team, and installed on the sign vaults.
I wonder, does this have measurable effect on the time it takes
> > == How To Test ==
> > You can verify that a signature has been put in place by looking at
> > the extended attribute by running: `getfattr -d -m security.ima
> > /usr/bin/bash` (change `/usr/bin/bash` with the file to check).
>
> Can one easily query the RPM archive for the signature blob for
On Sun, Apr 3, 2022 at 11:04 AM Vitaly Zaitsev via devel
wrote:
>
> On 01/04/2022 15:33, Ben Cotton wrote:
> > We want to add signatures to individual files that are part of shipped RPMs.
>
> Third attempt to push it through again? It was already rejected by FESCo.
Actually only the second
On 01/04/2022 15:33, Ben Cotton wrote:
We want to add signatures to individual files that are part of shipped RPMs.
Third attempt to push it through again? It was already rejected by FESCo.
--
Sincerely,
Vitaly Zaitsev (vit...@easycoding.org)
___
> [...]
> == How To Test ==
> You can verify that a signature has been put in place by looking at
> the extended attribute by running: `getfattr -d -m security.ima
> /usr/bin/bash` (change `/usr/bin/bash` with the file to check).
Can one easily query the RPM archive for the signature blob for
https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents
== Summary ==
We want to add signatures to individual files that are part of shipped RPMs.
These signatures will use the Linux IMA (Integrity Measurement
Architecture) scheme, which means they can be used to enforce runtime
policies to
https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents
== Summary ==
We want to add signatures to individual files that are part of shipped RPMs.
These signatures will use the Linux IMA (Integrity Measurement
Architecture) scheme, which means they can be used to enforce runtime
policies to
20 matches
Mail list logo
